Last month, the California Attorney General approved the final set of regulations interpreting the requirements of the California Consumer Privacy Act (Cal. Civ. Code Sections 1798.100 et seq.) (the “CCPA”).
What does it include?
The final CCPA regulations include a number of points of clarification such as what it means to provide “notice at collection,” the methods to provide a consumer with access to a business’s privacy policy and what content is required to be disclosed in that privacy policy, and the methods by which a company must provide consumers with a right to opt out from the sale of their personal information.
What does it remove?
The final CCPA regulations remove a few provisions from the CCPA, though privacy professionals should be wary of assuming that such removals are clear-cut. For example:
Explicit consent to use a consumer’s personal information for a purpose different than initially disclosed is no longer required.
Section 999.305(a)(5). The provision initially read “A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection. If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.” (emphasis added.)
However, notice is still required by Section 1798.100(b), which provides that businesses “shall not… use personal information collected for additional purposes without providing the consumer with notice consistent with this section.”
Offline businesses have more flexibility (“more” being the operative word) in providing consumers with an offline method to opt out of the sale of personal information.
Section 999.306(b)(2) previously read: “A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, and posting signage directing consumers to where the notice can be found online.”
However, the newly renumbered Section 999.306(b)(2) still requires any business that does not operate a website to “establish, document, and comply with another method by which it informs consumers of their right to opt-out.” So while the new section is less specific (hence, provides “more” flexibility), the requirement still exists.
The method by which businesses must provide consumers with a consumer’s method to opt out is subject to less strict standards — kind of.
Section 999.315(c) previously read: “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.” (emphasis added.)
In theory, this lowers the standard for how easy it is for consumers to exercise their opt-out rights. In practice, however, the impact is unclear. The responsibility remains with businesses to critically consider how accessible the method is for a consumer to opt out, and businesses are still required to provide two methods of exercising such right. So while the method may not have to be minimal or easy, the likelihood of the California Attorney General looking favorably on methods which are inaccessible is, at minimum, not high.
The result?
Now that these regulations have been approved and published, the burden shifts to companies to assess and implement compliance strategies. Privacy pundits have predicted, and the CCPA has already become, ripe grounds for litigation which is likely to only grow with enforcement.